A security researcher has found an extremely simple way to bypass Gatekeeper to allow Macs to open any malicious app, even when it is set to open only apps downloaded from the Mac App Store.
Patrick Wardle, director of research at security firm Synack, told arsTechnica that once Gatekeeper okays an approved app, it pays no more attention to what that app does. The approved app can then open malicious apps – which Gatekeeper doesn’t check.
Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one […] His exploit works by renaming Binary A but otherwise making no other changes to it. [He then] swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants …
In other words, all someone needs to do is identify the same app Wardle found (or others with the same capability), rename it and then bundle it with a renamed malicious app. A similar method also works with plugins: find an app that loads plugins, substitute your malware for one of those plugins and again Gatekeeper pays no attention.
Wardle is not revealing the name of the app, but suspects that there are others out there.
“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses,” he said. “I’m sure there are other Apple-signed apps out there” that can also be abused to bypass Gatekeeper.
Wardle says that he reported the vulnerability to Apple more than 60 days ago, and Apple confirmed to arsTechnica that it is working on a patch.
Apple made unspecified changes to Gatekeeper a year ago, requiring developers to re-sign and re-upload apps.
FTC: We use income earning auto affiliate links. More.
Whoops huh?
Not really a “Whoops” – Humans create the protections, humans find a way around it. Once this is patched, those that want to will look to find a new way.
Ironically, what I think this eventually leads to is a “phone home” to the Apple Servers any time an Apple signed app wants to open to validate something.
Indeed¡ And to think all Macs have been vulnerable all this time…and no one has been infected; what are the odds huh?
The old “trust of untrustworthy apps” problem. Heck, people authorize apps with an admin account all the time. Stupid, but they do it. Some dumb apps require it even.
Now i get to type in my password even more than I already do. Please give us touch id for mac.
Awesome suggestion. They should find a way to integrate it into the trackpad.
In the past few weeks Zerodium began offering a million dollars to anyone who can compromise iOS. Zerodium then sell it onto governments around the world and, weirdly, Fortune 500 companies. Now, I’m not a hacker, but if I’d discovered a serious hole in iOS and the choice was between handing it over to the richest company in the world *for free* (knowing that it saved them a potential PR disaster worth billions down the road), or selling it to the dark side for a million bucks.. I honestly don’t know what I’d do.
(There are also other, smaller blackhat bounties, which still stand in sharp contrast to Apple’s zilch.)
This story makes things so much worse, as it shows that even when people are making the conscious choice to inform Apple, to hand it to the world’s richest company on a plate for free, they haven’t even fixed it over two months later.
This is probably a big reason why Apple are the only major company to (shamefully) not offer a bug bounty. Apple would be swamped and security researchers would witness at scale how long it’s taking Apple to patch vulnerabilities.
Apple need to hire a fleet of security researchers and bug fixers. Acquire a company or two. There’s no excuse for this kind of thing happening time and time again by the biggest tech company in the world.
I can totally relate this to an incident that occurred a few months ago.
Hi 9to5Mac, I just saw the MacKeeper Ad here in between the paragraphs and as per the articles on Internet the software is a malware.
Thanks for letting us know – we don’t directly control which ads are shown but can report inappropriate ads to Google.